Can we require protocols to support unlinkable revocation?

[johannhof]

@martinthomson voiced concerns about unlinkable revocation methods such as Cryptographic Accumulators being widely applicable enough to make them part of the protocol registry inclusion criteria for privacy.

I don't have enough practical experience on this topic to decide - so I'm opening this issue for discussion.

[simoneonofri]

summoning @jaromil @andrea-dintino @mmaker

The only issue is that we are talking about protocols, which potentially support different credential formats, which potentially support different revocation methods depending on their “profile.”
I agree that it is good to be concerned about the entire Layer 3 of Credentials, but I think it is complex to verify which specific profile is used.

[johannhof]

Yeah, sorry, I guess we could say "protocol needs to support formats that support unlinkable revocation", if this was our goal.

[simoneonofri]

@johannhof thanks for the clarification, it makes sense to me

[jaromil]

This problem is very dear to me, the first of the 'seven sins' in EUDI. to contribute to the discussion we published SD-BLS in a IEEE journal, here is the pre print in open access
https://arxiv.org/abs/2406.19035

[andrea-dintino]

My comments:

• accumulators don't scale enough to do large-scale revocation: producing a "Witness" (i.e. calculate a blob of credential hashes) for 1,000,000 signatures it takes 5-8 sec (to add the 1,000,001st it takes 5-8 sec and a little more)

• our SD-BLS paper proposes a solution to do unlinkable revocation, without going through accumulators

• Longfellow-zk (implementation of Frigo and Shelat's paper) changes the rules of the game and the priorities on revocation quite a bit

[c2bo]

From a layering prospective, this is very likely bound to credential formats - on the protocol level it would mainly be about being able to support such formats (and possibly additional data required in a presentation to convey credential status) imho?

Generally speaking, revocation seems to be still in a pretty weird state and best case for the time being seems to be to try to avoid revocation or reduce its burden by issuing short-lived credentials. Accumulators or similar techniques don't really help you much if your credentials are ECDSA based (and you are presenting those directly) since proving the binding to the credential becomes really hard without losing privacy. Privacy-preserving (unlinkable) revocation becomes imho really important for the shift towards Anonymous Credentials (ZKP).